We got a great glimpse into how Google figured out when a star former engineer allegedly stole 14,107 files

Former Uber CEO Travis Kalanick and Anthony Levandowski are accused of conspiring to steal trade secrets from Waymo.
Associated Press

IT and digital forensics played a big part of Day 2 testimonies at the Uber vs. Waymo trial on Tuesday.

Gary Brown, a security engineer at Google, was called to the stand by Waymo to testify on the allegations that former star self-driving car engineer Anthony Levandowski downloaded 14,107 files before leaving the company.

Brown testified that he discovered Levandowski's alleged theft by using three IT tools.

The IT department is playing a key role in the Uber vs. Waymo trial playing out in a San Francisco court room this week, as the two tech titans clash over whether Uber used Waymo trade secrets to advance its self-driving car research.

One of the key witnesses called to the stand by Waymo, a subsidiary of Google parent company Alphabet, is a Google security engineer named Gary Brown.

Brown testified on Tuesday that he was one of two people who ran forensics on the computer belonging to Anthony Levandowski, a former star engineer at Waymo accused of stealing trade secrets and sharing them with Uber. Following Uber's acquisition of his company Otto, Levandowski worked at the ride-hailing startup before getting fired in May 2017.

Brown testified that he discovered logs that showed 9.74 GB of data, equalling 14,107 files, were downloaded onto a USB drive from a computer issued to Levandowski by Google.

To uncover the logs, Brown said he used three key elements of Google's IT system: an internal database called Armada, an internal forensics tool called GRR, and a security application called Bit9.

Armada

Armada is an internal IT database at Google. Brown said he used Armada to confirm that the network address used to download the files was from Levandowski's computer.

Lawyers for Uber don't dispute that Levandowski took the files, but argue that they weren't used for the startup's self-driving car program. Nonetheless, Uber's legal team has made a point of highlighting that the computer associated with the downloads was owned by Google and issued to Levandowski during his employment at the company.

Bit9

Brown testified that he used a tool called Bit9 to see that someone had moved the files in question on to a detachable thumb drive.

Bit9, which has since been rebranded as "Cb Protection" after a merger with cybersecurity software company Carbon Black, logs when portable storage units like thumb drives are attached and removed from business computers.

This is a key element of the case — Waymo contends that Levandowski took the thumb drive in question to Uber and used the trade secrets contained therein to accelerate its self-driving car program.

GRR

The bulk of this forensics detective work, though, appears to have relied on another internal tool at Google called GRR, short for "Google Rapid Response."

Basically, GRR is a piece of software that's installed on corporate-issued devices like Levandowski's laptop. It logs certain events, like when sensitive files are accessed. And, importantly, that information gets sent back to Google on a regular basis, so the company can figure out what happened if a device is lost or stolen.

"When these machines are connected to the internet they send their logs back to Google infrastructure for events when the device might be unrecoverable," Brown said.

Brown testified that he was able to use GRR to discover which files Levandowski accessed, without needing to physically access the laptop in question itself. The logs were apparently sent back to Google for review.

The logs on Levandowski's computer, Brown testified, were unrecoverable from the computer itself because it was wiped clean of the Microsoft Windows operating system and rebooted using Linux.

EXCLUSIVE FREE REPORT: The Self-Driving Car Race Report by the BI Intelligence Research Team. Get the Report Now »